In today's connected electronic society, the technology and know-how to create a completely connected electronic global system has been available and in practice at various levels. However, the utopian ideas of complete and unfettered connectivity are seriously undermined by the electronic “outlaws.” Computer viruses, industrial and national spying, information theft, and the like place real dollar risks to maintaining completely free connectivity. Because a genuine need exists for certain computer systems to be connected into the public domain, such as through the public or commodity internet, technology has been developed to provide various levels of protection from computer-based mischief.
One such technology used to minimize the risks for computer-based mischief is a firewall. Firewalls, which can be software, hardware, or a combination of both, are used in modern networks to screen out unwanted or malicious traffic. One of many techniques a firewall may use is packet filtering, wherein the firewall determines whether or not to allow individual packets by analyzing information in the packet header (such as the Internet Protocol (IP) address and port of the source and destination). Thus, various ports (defined below) or IP addresses may be blocked to minimize the risk of allowing malicious traffic into an important computer network or system. Another more advanced technique is called stateful inspection, wherein in addition to analyzing header information, a firewall keeps track of the status of any connection opened by network devices behind the firewall. Deciding whether or not a packet is dropped in a stateful inspection is based on the tracked status of the connection and information from within the packet header. In practice, firewalls (especially those used by large corporations) generally only allow traffic from the well-known ports, though such firewalls may be specially configured to allow traffic on any port. For multimedia communication systems that use multiple registered and dynamic ports, firewalls (unless specially configured) will generally block the data traffic on these ports between multimedia systems, thus, preventing communication.
In communications over the commodity internet, much of the communication occurs using Transmission Control Protocol/Internet Protocol (TCP/IP). TCP/IP is the transport protocol of the internet. One mechanism used to handle IP addresses is the TCP/IP port system. A port is a sixteen bit integer, the value of which falls into one of three ranges: the well-known ports, ranging from 0 through 1023; the registered ports, ranging from 1024 through 49151; and the dynamic and/or private ports, ranging from 49152 through 65535. The well-known ports are reserved for assignment by the Internet Corporation for Assigned Names and Numbers (ICANN) for use by applications that communicate using the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) and generally can only be used by a system/root process or by a program run by a privileged user. The registered ports may be registered for use by companies or other individuals for use by applications that communicate using TCP or UDP. The dynamic or private ports, by definition, cannot be officially registered nor are they assigned.
A TCP/IP port is typically assigned to user sessions and server applications in an IP network. Destination ports are generally used to route packets on a server to the appropriate network application. Thus, some ports are typically associated with particular internet applications. For example, port 80 is the standard port for Hypertext Transport Protocol (HTTP), while port 443 is the standard port for Secure HTTP (HTTPS). HTTP and HTTPS traffic may validly communicate over other ports; however ports 80 and 443 have been assigned as default ports for handling HTTP and HTTPS traffic, respectively. Routers and firewalls typically analyze the port numbers of the incoming data packets to determine how each packet should be handled. Routers review the port number to determine where to route the packet next. When using packet filtering methods, firewalls will review the port numbers to determine whether or not packets from that particular port represent traffic that is known to potentially contain a security threat. If a threat is indicated for that particular port, the packet will be dropped.
Many such firewalls use packet filtering to protect the underlying system. Thus, the ports that typical carry unpredictable packets are usually closed to traffic. In operation, a large number of ports are closed by default. These closed port ranges are usually associated with data traffic for applications that are unpredictable or known to carry undesirable traffic.
Another technique used by some firewalls and many other networking components to interface private or sub-networks with the commodity internet is Network Address Translation (NAT). NAT typically uses a single public IP address for the network interface, but then assigns individual clients on the private or sub-network a dynamic IP address that is selected from a group of private IP addresses for that particular private network or sub-network. NAT has extended the IP address technique beyond its finite number of addresses. However, the translation of addresses becomes a very complicated process when attempting to connect one endpoint to another behind a NAT system.
The use of firewalls and NAT to secure and administer networks has allowed an increase in overall connectivity, while improving the security of those networks. However, with this increased security, adapting to advances in communication technology is hampered. Voice over IP (VoIP) is becoming a popular alternative to the traditional Plain Old Telephone System (POTS) and the Publicly Switched Telephone Network (PSTN). In order to implement VoIP, though, new transmission protocols were developed to handle the specific needs of such system. Session Initiation Protocol (SIP) and H.323 are two examples of such protocols that have been defined for handling the administration of VoIP, and its natural extension to multimedia communication.
H.323 is a multimedia conferencing protocol, which includes voice, video, and data conferencing, for use over packet-switched networks. SIP is a signaling protocol for Internet conferencing, telephony, presence, events notification, and instant messaging. While these protocols allow for efficient management of IP-based communication, they run into serious problems when encountering firewalls and NAT systems.
Many communication protocols, including H.323 and SIP, use multiple different ports that can be selected dynamically as the session is initiated. The problem arises because the majority of these ports are closed in typical firewall installations. Therefore, in order to accommodate any type of IP-based communications, large numbers of ports would need to be opened in the firewall. If too many ports remain open, any given entity would risk exposure to potentially harmful unauthorized intrusion.
In NAT systems, each endpoint inside the system does not have a static IP address. Therefore, during setup of point-to-point communication, it is difficult to map out the connection because the target endpoint does not have a fixed, known IP address. The NAT server only provides an IP address when the internal endpoint needs one. Part of the header information in an H.323 or SIP data packet is the destination address. This information may be difficult to know when the NAT server has not assigned an IP address to a specific endpoint or considering that what IP address is assigned for a first call may not be the same IP addressed assigned for a subsequent call to the same endpoint.
To address this problem of firewall traversal and NAT, companies have designed various solutions from complex systems to simple workarounds. FIG. 1 is a block diagram illustrating a typical complex architecture of IP communication system 10. IP communication system 10 implements a multimedia communication system over the IP protocol. Communication in IP communication system 10 is limited by firewalls 100 and 101. Communication begins with the video and audio captured at endpoint 102. Using a multimedia transport protocol, such as H.323, SIP, or the like, multiple ports are selected by endpoint 102 to effect communication of the multimedia data. Endpoint 102 is connected to gatekeeper 103, which is still behind firewall 100.
Gatekeepers 103 and 107 are special gatekeepers that include proprietary code for establishing a connection over Internet 11 with base controller 106, which is located outside of firewalls 100 and 101. Base controller 106 also includes proprietary code that operates in connection with the code on gatekeepers 103 and 107. In operation, gatekeepers 103 and 107 are registered with base controller 106, such that a known communication setup routine has already been established between them. Firewalls 100 and 101 are modified to open a certain number of specific ports for all communications from gatekeeper 103. The firewall technicians maintaining firewalls 100 and 101 work with the provider of IP communication system 10 on installation to identify the specific ports that communication channels 105 will be transmitted over. Once those ports are opened, IP communication may occur over channels 105.
Gatekeepers 103 and 107 also provide for converting communication streams that may originate for different ports into channels 105. For example, monitor 102 communicates using H.323 which uses communication channels 104. Gatekeeper 103 shifts the data from communication channels 104 over to communication channels 105 in order to traverse firewall 100.
IP communication system 10 may also include special communication equipment, such as communication unit 109, which includes special proprietary code specifically developed for use in IP communication system 10. When using this special equipment, a user is able to connect to base controller 106 without first connecting to gatekeeper 103. Communication unit 109 is also registered with base controller 106 and packages all communication streams into channels 105 to traverse firewall 100 using the specified ports. Thus, a user at communication unit 109 may establish IP communication with a user at endpoint 108 without first connecting to gatekeeper 103. Examples of such systems configured similar to IP communication system 10 are provided by companies such as TANDBERG and the like. The limitation of such systems is that holes are still opened in the firewalls. There is nothing already in the security provisions of the firewalls that would prevent hostile traffic from entering through the ports that are opened to implement IP communication system 10.
FIG. 2 is a block diagram illustrating IP communication system 20. IP communication system 20 is configured to allow various levels of IP communication between individuals located at entity site 200, remote entity site 210, and home site 217. IP communication system 20 is implemented using a base server, communication server 203, in communication with individual client instances, clients 204, 209, and 212. At entity site 200, communication server 203 is placed in the middle-network zone, DMZ 218, which is the sub-network that sits between the trusted network of entity site 200 and Internet 11. Many network components or servers that have direct connectability to Internet 11 are situated within DMZ 218. For example, in addition to communication server 203, DMZ 218 also contains e-mail server 215, Web server 216, and the like. DMZ 218 is typically delimited by the private network firewall, such as private firewall 201, and an Internet firewall, such as Internet firewall 202. Internet firewall 202 maintains more open ports that are typically useful in receiving Internet-driven communication, such as email, Web-requests, and the like, while private firewall 201 is much more restrictive in the ports that it allows to have access into the private network of entity site 200.
When IP communication is desired, endpoints 205 and 206 each establish connections to client 204. Client 204 receives all of the communication streams directed to different ports, multi-port communications 207, and multiplexes those different communication streams into a single stream directed to a single port, single port data stream 208. In setting up IP communication system 20, the firewall administrators designate a single, specific port in both private firewall 201 and Internet firewall 202 for accepting data packets. Client 204 then transmits the multiplexed communication over single port data stream 208 to communication server 203 via private firewall 201. Communication server 203 will then transmit the multiplexed communication to the targeted endpoint at either one or both of remote entity site 210 and home site 217. Similarly, endpoints 213 and 214 communicate with client 212, which multiplexes the communications on multi-port communications 207 into a single port stream on single port data stream 208. Client 212 then transmits the multiplexed communication stream through remote firewall 211 and Internet firewall 202 to communication server 203. The communication stream from client 212 comes into Internet firewall 202 addressed to the specific port designated for the IP communication. Internet firewall 202, therefore, lets the data packets through to communication server 203. Communication server 203 is then able to transmit the communication stream to client 204 through private firewall 201.
FIG. 3 is a block diagram illustrating IP communication system 30. Instead of opening up new holes in firewalls 300 and 301, or using any existing open ports, IP communication system 30 simply goes around the company firewall, e.g., firewalls 300 and 301. IP communication system 30 connects to Internet 11 using a standard, non-secure Internet connection, connection 304. IP communication system 20 comprises endpoints 302 and 303 that include proprietary code enabling IP communication to be established over connection 304. Because neither connection 304 nor the communication equipment (i.e., endpoints 302 and 303) are connected into the users systems, there is little danger that any faults or malevolent traffic will jeopardize the system. However, implementing a totally separate system does not take advantage of the benefits that can be attributed to using the entity's protected, backend system. An example of such a system that addresses the firewall and NAT problem by completely by-passing the company's protected, backend system are video conferencing systems from Polycom, Inc.